Currently the security level of our current student project is very very low. The user inputs on the login form are not validated at all, and thus can be used to perform SQL injections. The passwords of the users are stored in clear text, which is also a very bad practice, but security was not the focus of this project. The value of the login session is not checked either, which can thereby also be used for SQL injections. However there are no special privileges on users; there are no admin users, so an attacker would not be able to elevate his privileges. The method to prevent these SQL injections are simple: Validate the inputs. All user inputs must be validated to ensure that the inputs cannot do any harm on the SQL server or web server. The server generated session must also be validated, since it can be tampered with by malicious users. Furthermore the password column of the user table in the database should be encrypted instead of clear text. 

The application in our student project runs on an Apache web server which is a very popular web server. It would perhaps be possible to perform a buffer overflow via for example the user inputs, so that the server application overflows and the attacker can then execute his own code. This could for example lead to the execution of a shutdown command, so that the server shuts down. The prevention technique here is again to validate the inputs, so that no input exceeds the allowed value of the given type of input. 

Another type of attack could be the "format string" type attack. The student project allows users to register, and displays their name on the site. If a user enters malicious code in the name field of the registration, and this input is not validated, it would be possible to execute the malicious code when the site was supposed to display the name of the user. To prevent this, the user inputs especially those on the registration site must be validated properly.